Welcome! Log In Create A New Profile

Advanced

Does stream module have support to negotiate ALPN when terminating TLS?

Previous Message Next Message
Forum List Message List New Topic Print View
sojuro
December 15, 2019 02:20AM
Is there support for forwarding to backends when clients are sending ALPN? I would like to use the stream module if possible. The following nginx config works successfully with a Go client but not with the Ruby client. This is similar to the problem with AWS ELB https://github.com/grpc/grpc/issues/18710


stream {
upstream stream_backend_1 {
server mygrpcservice:8080;
}
server {
listen 443 ssl;
proxy_pass stream_backend_1;
ssl_certificate /etc/ssl/test_cert.pem;
ssl_certificate_key /etc/ssl/test_key.pem;
ssl_preread on;
}
}

With preread on and nginx-debug I got the following in the logs and so the client is sending ALPN data
2019/12/15 03:21:12 [debug] 12#12: *1 ssl preread: ALPN protocols "grpc-exp"
2019/12/15 03:21:12 [debug] 12#12: *1 ssl preread: ALPN protocols "grpc-exp,h2"

but the Handshake fails in the grpc library because Server does not set the negotiated ALPN??
D1214 23:00:44.714269000 123145438679040 security_handshaker.cc:186] Security handshake failed: {"created":"@1576393244.714255000","description":"Cannot check peer: missing selected ALPN property.","file":"src/core/lib/security/security_connector/ssl_utils.cc","file_line":118}


Also fails with openssl

$ openssl s_client -connect test00.net:443 -alpn h2 | grep alpn
verify return:1
No ALPN negotiated

-s
Reply Quote
RSS
Subject Author Posted

Does stream module have support to negotiate ALPN when terminating TLS?

sojuro December 15, 2019 02:20AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 177
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready